homepage Welcome to WebmasterWorld Guest from 54.163.72.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 38 message thread spans 2 pages: < < 38 ( 1 [2]     
Phishing Filters and User Privacy - browsers that "phone home"
encyclo




msg:3146776
 8:51 pm on Nov 5, 2006 (gmt 0)

The latest "must-have" features in modern browsers includes anti-phishing technology where visited sites are assessed for their likelyhood to steal end-user personal information.

Internet Explorer 7 includes a "Phishing Filter":

[microsoft.com...]

In the case of Microsoft, data is transmitted to their servers via a secure connection which includes every URL you visit, however according to the IE7 privacy statement [microsoft.com] query strings are not transmitted, so for example your specific Google or MSN searches will not be sent. The URLs submitted in real time are compared to a database held by Microsoft, which returns information to the browser regarding the URL.

Phishing Filter is designed to warn you if the website you are visiting might be impersonating a trusted website. Phishing Filter does this by first checking the address of the website you are visiting against a list of website addresses stored on your computer that have been reported to Microsoft as legitimate ("legitimate list"). (...) addresses not on the legitimate list will be sent to Microsoft and checked against a frequently updated list of websites that have been reported to Microsoft as phishing, suspicious, or legitimate websites. (...) the address of the website you are visiting will be sent to Microsoft, together with some standard information from your computer such as IP address, browser type, and Phishing Filter version number. To help protect your privacy, the address information sent to Microsoft is encrypted using SSL and limited to the domain and path of the website. Other information that may be associated with the address, such as search terms, data you entered in forms, or cookies, will not be sent.

Firefox 2.0 takes a different route, called "Safe Browsing". The biggest difference is that data is not sent to Mozilla or any other source, but each URL you visit is checked against a local list which is downloaded periodically from Mozilla.

When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis.

Source: [mozilla.com...]

Firefox's solution certainly appears to avoid any privacy problems as the data remains on the end-user's machine. But the lack of a real-time lookup reduces the potential effectiveness faced with a rapidly-evolving threat.

Finally, Opera. Opera 9 does not include phishing protection, but such measures are expected in Opera 9.1 onwards. From OperaWatch [operawatch.com]:

Operaís Fraud Protection will work differently than Firefox and Internet Explorerís (IE) anti-phishing protection. In Opera, when you type a URL in the address bar, while the page is being requested from the web server, Opera will simultaneously access Operaís database to check the legitimacy of the site you want to visit.

If the site is determined to be a fraud, Opera will instead display a warning and block you from visiting the site. Youíll still have the option to bypass the warning.

So, in your opinion is anti-phishing protection (using any method) really a useful tool, or is it just part of a marketing exercise where each browser must keep up with the others? Do you think anti-phishing will work? Are you concerned about the "phone home" aspects of real-time URL lookups sent to Microsoft or Opera?

[edited by: encyclo at 1:44 am (utc) on Nov. 6, 2006]

 

incrediBILL




msg:3148992
 5:44 pm on Nov 7, 2006 (gmt 0)

leaking user data

You're more concerned with this than all those leaky toolbars people install for Yahoo, Google, Alexa and so forth?

Give me a break.

There's a long way to go before getting to the sort of on-page analysis suggested by IncrediBILL in the above post.

Really?

Send me a couple of hundred sample phish sites and I'll send you the code.

I'm pretty sure my parked and hijacked domain project was more complicated.

encyclo




msg:3149013
 6:04 pm on Nov 7, 2006 (gmt 0)

Send me a couple of hundred sample phish sites and I'll send you the code.

I agree with you on this (my previous post wasn't supposed to read as a criticism of your comments, quite the opposite). It should be doable and even relatively simple as you have described - just that none of the current browser implementations are taking this approach. I agree with you that they should be taking this further rather than simply doing lookups on domain names.

than all those leaky toolbars people install

But the spyware toolbars aren't part of a standard installation, whereas the anti-phishing feature is. Of course, the same situation can be said of the Firefox update mechanism which equally phones home on a regular basis.

incrediBILL




msg:3149125
 6:53 pm on Nov 7, 2006 (gmt 0)

I agree with you that they should be taking this further rather than simply doing lookups on domain names.

See, I doubt they are simply doing just lookups.

MSN could be scanning everything in their index, much like McAfee SiteAdvisor, and pre-screening pages as they crawl and update their index. The logic actually gets much simpler if you compare pages to a search engine's index that have been pre-evaluated in the last 14 days or so. You would only need to reasonably check pages older than a week or 2, or pages that have never been indexed, as phishers install stuff in places never seen before so they are almost ALWAYS new pages and with an index of the online universe behind your service you know when new pages appear easily.

True, a DNS poisoning or a hack could could mess that scenario all up ;)

I'm thinking someone could easily write an anti-phishing detector and plug it into a personal proxy server on the local machine, doesn't even need to be in the browser itself.

hk995




msg:3149219
 8:09 pm on Nov 7, 2006 (gmt 0)

I'm thinking someone could easily write an anti-phishing detector and plug it into a personal proxy server on the local machine, doesn't even need to be in the browser itself.

that would be a good idea! I'll be the first one to buy it!

Tapolyai




msg:3149369
 9:59 pm on Nov 7, 2006 (gmt 0)

I am sure it is possible to write something that would recognize a web site as phishing site without a site domain name database (for example a Bayesian probability).

The problem I see is both Microsoft and Mozilla uses database of site names (if I am reading their implementation correctly), not signatures or statistical analysis of content - such solution would allow recognition of a site to be phishing, even if it is not in the database.

Again, I think the implementation is faulty at best. This does not mean the general public and the media will not accept it as the "sliced bread" of anti-phishing.

We have ample examples of misguided, limited, short-sighted or simply useless solutions implemented and accepted as the panacea.

I just think this technical solution is a knee-jerk reaction, and with not much research and think-through.

incrediBILL




msg:3149535
 12:29 am on Nov 8, 2006 (gmt 0)

Again, I think the implementation is faulty at best.

That's an assessment made on minimal information.

If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

'Nuff said.

encyclo




msg:3149599
 1:51 am on Nov 8, 2006 (gmt 0)

If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

Yes, because security by obscurity really helped Microsoft with regards to IE's security record. ;)

As for Firefox, I assume (sorry I'm still on FF 1.5 so I can't check) that the downloaded file is accessible on the client machine, as it's not their style to do encrypted or binary formats. It is easy enough to check what details are being checked by the anti-phishing service.

Tapolyai




msg:3149686
 3:49 am on Nov 8, 2006 (gmt 0)

Again, I think the implementation is faulty at best.

That's an assessment made on minimal information.

If I was MS or Google I'd be quiet about specifics so the phishers don't adapt.

'Nuff said.

You are presuming too much. ;)

This 38 message thread spans 2 pages: < < 38 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved